rabbitmq-server/deps/rabbitmq_auth_backend_oauth2/demo/setup.sh

#!/usr/bin/env bash

gem list cf-uaac | grep cf-uaac || exit 1
gem list bunny | grep bunny || exit 1

target=${UAA_HOST:="http://localhost:8080/uaa"}
# export to use a different ctl, e.g. if the node was built from source
ctl=${RABBITMQCTL:="rabbitmqctl"}

# Target the server
uaac target $target

# Get admin client to manage UAA
uaac token client get admin -s adminsecret

# Set permission to list signing keys
uaac client update admin --authorities "clients.read clients.secret clients.write uaa.admin clients.admin scim.write scim.read uaa.resource"

# Rabbit UAA user
# The user name and password needed to retrieve access tokens,
# RabbiMQ does not have to be aware of this credentials.
uaac user add rabbit_super -p rabbit_super --email rabbit_super@example.com
uaac user add rabbit_nosuper -p rabbit_nosuper --email rabbit_nosuper@example.com

# Create permissions
# Uaa groups will become scopes, which should define RabbitMQ permissions and tags.
uaac group add "rabbitmq.read:*/*"
uaac group add "rabbitmq.write:*/*"
uaac group add "rabbitmq.configure:*/*"

uaac group add "rabbitmq.write:uaa_vhost/*"
uaac group add "rabbitmq.read:uaa_vhost/some*"

uaac group add "rabbitmq.tag:administrator"

# Assigning groups to users.
# rabbit_super will be able to read,write and configure any resources.
# They will be able to connect to the management plugin as well.
uaac member add "rabbitmq.read:*/*" rabbit_super
uaac member add "rabbitmq.write:*/*" rabbit_super
uaac member add "rabbitmq.configure:*/*" rabbit_super
uaac member add "rabbitmq.tag:administrator" rabbit_super

# rabbit_nosuper will be able to read uaa_vhost resources starting with some
# and write to any uaa_vhost resources
uaac member add "rabbitmq.write:uaa_vhost/*" rabbit_nosuper
uaac member add "rabbitmq.read:uaa_vhost/some*" rabbit_nosuper

# Configure RabbiqMQ
# Add uaa_vhost and other vhost to check permissions
$ctl add_vhost uaa_vhost
$ctl add_vhost other_vhost

# add e.g. --access_token_validity 60 --refresh_token_validity 3600 to experiment with token validity
uaac client add rabbit_client --name rabbit_client --scope 'rabbitmq.*' --authorized_grant_types password,client_credentials --authorities rabbitmq --secret rabbit_secret --redirect_uri 'http://localhost:15672'

# Set guest user permissions to create queues.
$ctl set_permissions -p uaa_vhost guest '.*' '.*' '.*'
$ctl set_permissions -p other_vhost guest '.*' '.*' '.*'

# Get access tokens
uaac token owner get rabbit_client rabbit_super -s rabbit_secret -p rabbit_super
uaac token owner get rabbit_client rabbit_nosuper -s rabbit_secret -p rabbit_nosuper

echo "Auth info for rabbit_nosuper user
This user will have read access to uaa_vhost resources,
which name start with some and write access to all uaa_vhost resources.
Use access_token as a RabbitMQ password, the username is ignored"
echo
uaac context rabbit_nosuper
echo

echo "Auth info for rabbit_super user
This user will have full access to all rabbitmq vhosts.
Use access_token as a RabbitMQ password, the username is ignored"
echo
uaac context rabbit_super
echo

# Create queues
ruby demo/declare_queues.rb uaa_vhost/some_queue uaa_vhost/other_queue other_vhost/some_queue other_vhost/other_queue
UAA configuration demo 2017-09-20 23:42:42 +08:00			`#!/usr/bin/env bash`

Fix demo script. Add rabbit_client client to request token. 2018-06-25 22:29:12 +08:00			`gem list cf-uaac \| grep cf-uaac \|\| exit 1`
			`gem list bunny \| grep bunny \|\| exit 1`
UAA configuration demo 2017-09-20 23:42:42 +08:00
Use HTTP to talk to the local UAA It's sufficient for the purposes of this demo script. 2017-09-28 20:16:28 +08:00			`target=${UAA_HOST:="http://localhost:8080/uaa"}`
			`# export to use a different ctl, e.g. if the node was built from source`
UAA configuration demo 2017-09-20 23:42:42 +08:00			`ctl=${RABBITMQCTL:="rabbitmqctl"}`

			`# Target the server`
			`uaac target $target`

			`# Get admin client to manage UAA`
			`uaac token client get admin -s adminsecret`

			`# Set permission to list signing keys`
			`uaac client update admin --authorities "clients.read clients.secret clients.write uaa.admin clients.admin scim.write scim.read uaa.resource"`

			`# Rabbit UAA user`
			`# The user name and password needed to retrieve access tokens,`
			`# RabbiMQ does not have to be aware of this credentials.`
			`uaac user add rabbit_super -p rabbit_super --email rabbit_super@example.com`
			`uaac user add rabbit_nosuper -p rabbit_nosuper --email rabbit_nosuper@example.com`

			`# Create permissions`
Document tag support For management plugin access. Add a tag to the super user in the demo. 2019-07-09 23:44:27 +08:00			`# Uaa groups will become scopes, which should define RabbitMQ permissions and tags.`
Fix demo script. Add rabbit_client client to request token. 2018-06-25 22:29:12 +08:00			`uaac group add "rabbitmq.read:/"`
			`uaac group add "rabbitmq.write:/"`
			`uaac group add "rabbitmq.configure:/"`
UAA configuration demo 2017-09-20 23:42:42 +08:00
Fix demo script. Add rabbit_client client to request token. 2018-06-25 22:29:12 +08:00			`uaac group add "rabbitmq.write:uaa_vhost/*"`
			`uaac group add "rabbitmq.read:uaa_vhost/some*"`
UAA configuration demo 2017-09-20 23:42:42 +08:00
Document tag support For management plugin access. Add a tag to the super user in the demo. 2019-07-09 23:44:27 +08:00			`uaac group add "rabbitmq.tag:administrator"`

UAA configuration demo 2017-09-20 23:42:42 +08:00			`# Assigning groups to users.`
			`# rabbit_super will be able to read,write and configure any resources.`
Document tag support For management plugin access. Add a tag to the super user in the demo. 2019-07-09 23:44:27 +08:00			`# They will be able to connect to the management plugin as well.`
Fix demo script. Add rabbit_client client to request token. 2018-06-25 22:29:12 +08:00			`uaac member add "rabbitmq.read:/" rabbit_super`
			`uaac member add "rabbitmq.write:/" rabbit_super`
			`uaac member add "rabbitmq.configure:/" rabbit_super`
Document tag support For management plugin access. Add a tag to the super user in the demo. 2019-07-09 23:44:27 +08:00			`uaac member add "rabbitmq.tag:administrator" rabbit_super`
UAA configuration demo 2017-09-20 23:42:42 +08:00
			`# rabbit_nosuper will be able to read uaa_vhost resources starting with some`
			`# and write to any uaa_vhost resources`
Fix demo script. Add rabbit_client client to request token. 2018-06-25 22:29:12 +08:00			`uaac member add "rabbitmq.write:uaa_vhost/*" rabbit_nosuper`
			`uaac member add "rabbitmq.read:uaa_vhost/some*" rabbit_nosuper`
UAA configuration demo 2017-09-20 23:42:42 +08:00
			`# Configure RabbiqMQ`
			`# Add uaa_vhost and other vhost to check permissions`
			`$ctl add_vhost uaa_vhost`
			`$ctl add_vhost other_vhost`

Mention arguments to change token validity for client In demo. 2019-06-19 15:49:21 +08:00			`# add e.g. --access_token_validity 60 --refresh_token_validity 3600 to experiment with token validity`
Fix demo script. Add rabbit_client client to request token. 2018-06-25 22:29:12 +08:00			`uaac client add rabbit_client --name rabbit_client --scope 'rabbitmq.*' --authorized_grant_types password,client_credentials --authorities rabbitmq --secret rabbit_secret --redirect_uri 'http://localhost:15672'`

UAA configuration demo 2017-09-20 23:42:42 +08:00			`# Set guest user permissions to create queues.`
			`$ctl set_permissions -p uaa_vhost guest '.' '.' '.*'`
			`$ctl set_permissions -p other_vhost guest '.' '.' '.*'`

			`# Get access tokens`
Fix demo script. Add rabbit_client client to request token. 2018-06-25 22:29:12 +08:00			`uaac token owner get rabbit_client rabbit_super -s rabbit_secret -p rabbit_super`
			`uaac token owner get rabbit_client rabbit_nosuper -s rabbit_secret -p rabbit_nosuper`
UAA configuration demo 2017-09-20 23:42:42 +08:00
			`echo "Auth info for rabbit_nosuper user`
			`This user will have read access to uaa_vhost resources,`
			`which name start with some and write access to all uaa_vhost resources.`
uaa_jwt is no longer a separate application In order for uaa_jwt settings to be populated by config files, they have to be part of a defined and running application. This PR adds support for a uaa_jwt sub-key of the main rabbitmq_auth_backend_oauth2 env key. 2018-07-21 06:25:09 +08:00			`Use access_token as a RabbitMQ password, the username is ignored"`
UAA configuration demo 2017-09-20 23:42:42 +08:00			`echo`
			`uaac context rabbit_nosuper`
			`echo`

Make sure "superuser" information is output last It is more likely that the user won't read any of the output and will copy the last token printed. 2017-09-29 20:53:26 +08:00			`echo "Auth info for rabbit_super user`
			`This user will have full access to all rabbitmq vhosts.`
uaa_jwt is no longer a separate application In order for uaa_jwt settings to be populated by config files, they have to be part of a defined and running application. This PR adds support for a uaa_jwt sub-key of the main rabbitmq_auth_backend_oauth2 env key. 2018-07-21 06:25:09 +08:00			`Use access_token as a RabbitMQ password, the username is ignored"`
Make sure "superuser" information is output last It is more likely that the user won't read any of the output and will copy the last token printed. 2017-09-29 20:53:26 +08:00			`echo`
			`uaac context rabbit_super`
			`echo`

Make sure demo/setup.sh doesn't stop on subsequent runs 2017-09-29 20:44:33 +08:00			`# Create queues`
			`ruby demo/declare_queues.rb uaa_vhost/some_queue uaa_vhost/other_queue other_vhost/some_queue other_vhost/other_queue`